Makers of IoT sex toy We-Vibe fined $3m

The Canada-based maker of the We-Vibe smart vibrator, Standard Innovation, has been ordered to pay compensation to owners after the smart sex toy tracked customers’ usage without their consent.

A class action lawsuit had been filed in a court in Illinois.

The We-Vibe 4 Plus is the world’s first internet of things (IoT) vibrator with a Bluetooth connection that can be controlled remotely.

However, at the recent Def Con 24 hacking conference in Las Vegas, hackers Goldfisk and Followr showed how the sex toy could be remotely activated by anyone who could intercept it with a paired smartphone.

Case reaches climax

Image: Standard Innovation

They showed that data such as minute-by-minute temperature changes and times of use, as well as vibration intensity, could be gathered remotely.

The hackers warned that the data could be stored on Standard Innovation’s servers along with personally identifiable information such as email addresses.

The Illinois court ruled that Standard Innovation must pay a total of $3m to owners who used the vibrators’ associated app.

The fine works out at around $7,446 each for users of the app and vibrators, while those who simply bought the vibrator will claim up to $199.

The landmark ruling raises a number of questions around the security of IoT devices, especially in the rise of zombie device attacks.

In February, the CloudPets IoT teddy bear breach saw a leak of 2m voice recordings of children and parents, email addresses and password data for more than 800,000 accounts.

In a statement following the ruling, Standard Innovation said: “At Standard Innovation, we take customer privacy and data security seriously. We have enhanced our privacy notice, increased app security, provided customers [with] more choice in the data they share, and we continue to work with leading privacy and security experts to enhance the app. With this settlement, Standard Innovation can continue to focus on making new, innovative products for our customers.”